Introducing SPL2: The Next-Generation Search & Data Preparation Language for Splunk

We’re excited to announce the worldwide availability of Search Processing Language version 2 (SPL2), the next evolution of our powerful SPL language for data search and preparation, now in Splunk Enterprise and Splunk Cloud Platform. As the single language powering the Cisco Data Fabric, SPL2 offers analysts, app developers, and data administrators a powerful, flexible, and intuitive way to interact with data. Building on the strengths of SPL, SPL2 enables seamless transformation of both streaming data in flight and data at rest. Now integrated across the Splunk ecosystem, including Splunk Edge, Ingest Processor, and the single search and module editor in the SPL2 Search and Reporting app, SPL2 sets a new standard for how customers access, prepare, and transform data.

For years, Splunk Enterprise and Splunk Cloud Platform have empowered users with SPL, the best-in-class query language for investigating and monitoring logs and metrics. Its administrator-friendly syntax has been essential for security, infrastructure, and application monitoring, and its power and flexibility have fostered a skilled and passionate ecosystem of analysts and admins. But as powerful as SPL is, users have long asked for enhancements to boost productivity: making learning SPL easier for users coming to the Splunk platform from a database or SQL background; providing a user experience better suited to complex investigations and debugging; and offering better in-product feedback during SPL authoring. Meanwhile, administrators and developers have sought better management tools to overcome data sharing limitations, improvements around search and knowledge object reuse, and better tools to identify and remedy poor data quality. And with the ubiquity of cloud object stores with varying storage formats and access patterns, security and IT organizations needed a unified way to access all their data more than ever before.

^{The screenshot showcases the SQL-like syntax of SPL2 in action, demonstrating how users can write familiar, intuitive queries within the Splunk platform. This highlights SPL2’s ease of use for those coming from a SQL background, making data search and analysis more accessible and efficient.}

SPL2 is designed to solve these issues and many more. Our unified search and stream language, SPL2 offers a single syntax for searching data in Splunk indexes and preparing data in-stream. With its familiar SPL-like syntax and added support for SQL-like syntax, SPL2 can process data regardless of where the data resides, as well as prepare, transform, and route incoming data, all through the same language. The SPL2 multi statement “module” editor offers rich autocomplete, in product documentation, and an intuitive point and click user experience. This makes it easy for both new and experienced users to construct SPL2 syntax without deep familiarity with the language. Users can leverage these modules to build comprehensive, chained multi search investigations, enabling efficient root cause analysis and grouping of related searches—all while removing the need for analysts to switch between multiple tabs to iterate on a search. Users don’t have to worry about a steep learning curve for SPL2: although SPL2 is very similar to SPL, users can continue to leverage their SPL knowledge and built-up libraries of customized SPL queries by writing SPL embedded within SPL2 and using the point-and-click SPL to SPL2 converter if they want.

^{This illustrates how a Splunk analyst can use the SPL2 module editor to run an incident analysis, chaining multiple search statements together within a single, streamlined workflow. This enables efficient investigation and clear documentation of each step in the analysis process}

SPL2 revolutionizes workflows for admins and developers as well, with industry-changing features. Data views let admins define SPL2-based "views" over indexes that can be independently permissioned, allowing for precise data sharing and reducing index bloat, while custom-built SPL2 data types can let customers identify data of poor quality and conditionally drop it in-stream using Edge and Ingest Processor. Meanwhile, power users and developers can write and share custom functions with code-style declarations for reuse across the Splunk ecosystem, while also using modernized JSON handling with powerful lambda expressions for transforming complex nested JSON using map, reduce, and filter.

^{This demonstrates how Splunk admins can easily create and export SPL2-based views over indexes. With flexible permission settings, these views enable secure, precise data sharing and simplifying data management across the Splunk ecosystem.}

By using SPL2 in Splunk’s search solutions (Splunk Enterprise and Splunk Cloud Platform) and stream solutions (Edge Processor and Ingest Processor), customers can exert immense control over their data ecosystem with a single language. SPL2 can be reused across search and ingest solutions, allowing admins to detect data issues during search, then mitigate these issues upstream during ingestion by reusing the same logic. With SPL2’s “learn once, use everywhere” model, customers can streamline investments across their security and observability landscape, and create central teams with skillsets that span multiple products and domains instead of maintaining dedicated teams for each product.

SPL2 expands beyond analysts and admins, empowering developers to customize Splunk applications with SPL2 module files. These modules let developers ship apps with curated data, custom functions, data quality validation, and packaged out-of-box views for their customers. By enhancing the app ecosystem, SPL2 lets developers create richer analytics and streamlined workflows for users.

With SPL2, Splunk users now have an unparalleled tool to simplify data interaction, streamline workflows, and unlock deeper insights across their entire data ecosystem. Whether you're an analyst looking for intuitive SQL-like querying, an admin seeking precise data governance, or a developer aiming to build richer applications, SPL2 is designed to elevate your Splunk experience. Don't wait to harness the power of this next-generation language! Get started today by exploring SPL2 in Splunk Enterprise and Splunk Cloud Platform, and dive deeper into its capabilities by visiting our comprehensive documentation for details and availability restrictions.

Interested in learning more or sharing your experiences with SPL2? Join the #spl2 channel in the Splunk Slack community.